Perform the following task to enable SSL on WebHBase and HBase REST API.
![[Note]](../common/images/admon/note.png) | Note |
|---|---|
In order to access SSL enabled HDP Services through the Knox Gateway, additional configuration on the Knox Gateway is required, see Apache Knox Gateway Adminsitrator Guide, Gateway Security, Configure Wire Encryption. |
Verify that the HBase REST API is running, on the HBase Master run:
curl http://localhost:60080/
If the rest daemon is not running on that port, run the following command to start it:
sudo /usr/lib/hbase/bin/hbase-daemon.sh start rest -p 60080
Create and install an SSL certificate for HBase, for example to use a self-signed certificate:
Create an HBase keystore:
su -l hbase -c "keytool -genkey -alias hbase -keyalg RSA -keysize 1024 -keystore hbase.jks"
Export the certificate:
su -l hbase -c "keytool -exportcert -alias hbase -file certificate.cert -keystore hbase.jks"
Add certificate to the Java keystore:
If you are not root run:
sudo keytool -import -alias hbase -file certificate.cert -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts
If you are root:
keytool -import -alias hbase -file certificate.cert -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts
Add the following properties to the
hbase-site.xmlconfiguration file on each node in your HBase cluster:<property> <name>hbase.rest.ssl.enabled</name> <value>true</value> </property> <property> <name>hbase.rest.ssl.keystore.store</name> <value>/path/to/keystore</value> </property> <property> <name>hbase.rest.ssl.keystore.password</name> <value>$keystore-password</value> </property> <property> <name>hbase.rest.ssl.keystore.keypassword</name> <value>$key-password</value> </property>Restart all HBase nodes in the cluster.
| Note |
|---|---|
When using a self-signed certificate, manually add the certificate to the JVM truststore on all HBase clients. |
